[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

10 minutes ago, saarg said:

No you can't, as nginx isn't started until you have a valid cert.

 

So, at this point I am trying to figure things out.  

In my router I have configured port 80 and port 443 to forward to my UnRaid server on ports xx080 and xx443 which are the same ports on my SWAG configuration. 
I am getting timeouts try to renew my expired cert.

I tried to telnet into unraid on xx080 and it tells me it cannot open a connection. 

If I can't establish the connection to the SWAG container how can I renew my cert?

Link to comment
1 hour ago, BTPBen said:

 

So, at this point I am trying to figure things out.  

In my router I have configured port 80 and port 443 to forward to my UnRaid server on ports xx080 and xx443 which are the same ports on my SWAG configuration. 
I am getting timeouts try to renew my expired cert.

I tried to telnet into unraid on xx080 and it tells me it cannot open a connection. 

If I can't establish the connection to the SWAG container how can I renew my cert?

You have to fix your port forward or whatever it is that is blocking the connection.

Link to comment

So I have been banging my head off the wall trying to figure this out. I have searched this thread and google as much as I can. I think I might just not have the right search terms to get the info I need. (or something is not working right)

 

I am trying to get nginx to pass the real client IP to the backend. I cannot figure for the life of me why it does not work. My proxy.conf is set to default right now but I have tried every combination of settings I can think of. It appears that I am passing a list of IPs to the backend that includes both the reverse proxy and the client IPs but apps are only reading the reverse proxy IP. I need to get it to pass just the client IP. How do I do this?

 

Link to comment
10 hours ago, saarg said:

You have to fix your port forward or whatever it is that is blocking the connection.

 

That's what I can't seem to figure out what's blocking the connection. Based on the line below. If I open the UnRaid terminal should I be able to telnet to port 180 on the UnRaid server and get a response from SWAG before I get a certificate?
 

telnet 192.168.0.xxx 180

 

swagtelnet.png

Link to comment
5 hours ago, BTPBen said:

 

That's what I can't seem to figure out what's blocking the connection. Based on the line below. If I open the UnRaid terminal should I be able to telnet to port 180 on the UnRaid server and get a response from SWAG before I get a certificate?
 


telnet 192.168.0.xxx 180

 

swagtelnet.png

Follow this https://blog.linuxserver.io/2019/07/10/troubleshooting-letsencrypt-image-port-mapping-and-forwarding/

Link to comment
31 minutes ago, BTPBen said:

Followed the guide, found out that my ISP is what's blocking port80 and SWAG won't work if I setup a dynu port redirect to something like 40080.  So I guess I will never get a certificate :/

If you use DNS validation you only need 443, only thing you really will lose is automatic http->https redirection.  

DuckDNS is free and supports DNS validation.  

  • Thanks 1
Link to comment

Hello, 
I have swag up and running and there has been no issues. However, recently I saw this pop up in the container log:

 

[services.d] starting services
[services.d] done.
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)

Server ready


Has anyone ran across this or can shed some light on this?

Thank you,
 

Link to comment

I've been trying to search for a way to do this, but have come up empty-handed - probably because I haven't got the search terms quite right, so apologies if this has been covered before (as it almost certainly has).

 

I would like to access some internal-facing websites via SSL - ones that I do not want accessible from the internet, such as Unraid, and Unifi - but I can't find a guide to do this that doesn't also point them to the internet.

What settings can I change to a) have them receive an SSL via certbot (or is my wildcard cert already covering them?) and b) to be accessible by https://subdomain.mydomain.com address, but only from my LAN?

 

Can someone point me to the right place that explains how I can do this? As I said before, I couldn't find it in the documentation mainly because I'm not quite sure what to search for.

 

Bonus points for help on how (if it's possible) to set up a cert + SSL for my pi-hole instance, which is running on a separate RPi, rather than an Unraid Docker.

 

Many thanks for your help.

Edited by jademonkee
typo
Link to comment
7 hours ago, bombz said:

Hello, 
I have swag up and running and there has been no issues. However, recently I saw this pop up in the container log:

 


[services.d] starting services
[services.d] done.
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)

Server ready


Has anyone ran across this or can shed some light on this?

Thank you,
 

See the pinned notice at the top of the thread.

Nothing to worry about.

Link to comment

Need Help Setting up swag for the first time . I have my own domain, and I have the DNS through my provider point the subdomains bitwarden.XXXX.xyz and nextcloud.XXXX.xyz at mydomain.duckdns.org. I currently have openvpn running, and when i go to my server address with openvpn enabled, it gets through to the server, so I'm pretty sure that the duckdns part is working.

 

Not sure what I'm doing wrong1899836940_SWAG1TS1.thumb.PNG.5084851d685d31f59cf0adbad8c80c79.PNG1762041178_Swag2TS1.thumb.PNG.8bdecfb86c0bb5326ddfa879a257c822.PNG664081158_gandiTS1.thumb.PNG.1540048ef3dd9da3d5897d5834983c0b.PNG

router TS1.png

TS1 Log.txt

Link to comment

I have trouble making outgoing connections from inside the Docker proxy net (not using the Unraid bridge).

  • curl -I google.com works
  • curl -I some.dyndns.for.same.lan fails  (e.g. cloudpi.dns.navy, a test device on a Raspberry Pi)
  • curl -I -x swag:80 some.dyndns.for.same.lan works

  E.g. when I open the console for the SWAG container and try to access a Raspberry Pi that's connected to the web:

 

# curl -Iv cloudpi.dns.navy
*   Trying 37.201.145.221:80...
*   Trying 2a02:908:4b60:a2e0:ba27:ebff:fe83:4fe:80...
* Immediate connect fail for 2a02:908:4b60:a2e0:ba27:ebff:fe83:4fe: Address not available
*   Trying 2a02:908:4b60:a2e0:ba27:ebff:fe83:4fe:80...
* Immediate connect fail for 2a02:908:4b60:a2e0:ba27:ebff:fe83:4fe: Address not available

 

This is puzzling me a lot. If you copy and paste the CURL command, you'll notice that this will work fine from a regular computer. (Maybe even from your own Unraid SWAG instance? Dunno)

 

If I define a proxy parameter in the request, this works out better:

 

# curl -I -x swag:80 cloudpi.dns.navy
HTTP/1.1 301 Moved Permanently
Server: nginx/1.18.0
Date: Fri, 22 Jan 2021 11:10:48 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Location: https://cloudpi.dns.navy/

 

The same -x parameter makes the CURL request reach the destination device from my SWAG container and my Nextcloud container.

 

I can't get it to work with a https:// URL when I specify swag:443 as the proxy. I get a 400 Bad Request by SWAG. Same for -x swag:443 https://google.com, so the port 443 forwarding isn't limited to my DynDNS.

 

I went down the CURL rabbit hole because my Nextcloud could connect to an instance I hosted on my web server, but not to the device with the dns.navy URL (it is in the same LAN). I don't know anybody with a DynDNS Nextcloud instance to try to figure out what may be going wrong.

 

Am I holding it wrong? Is there any other debugging tool for this I could use? nslookup works, ping works, curl doesn't -- and to that extend connecting Nextcloud instances here don't work either.

Edited by ctietze
added info that command usually works
Link to comment

with the latest update, unfortunately all of my reverse proxies are no longer working.

 

I have it configured to use my own domain, and there is a cname associated to each subdomain. My dynamic dns is resolved with DuckDNS, and I have all of the relevant containers set on proxynet along with the SWAG container.

 

My logs show that the Server is ready, however it is flagging that the Prox-conf files are out of date. Could this be causing the issue? did the templates change materially?

 

The containers in use are Bitwardenrs, Nextcloud, and OMbi

Link to comment

So I got openvpn working again, but I still can't get the certificate to issue I get the following error

Domain: bitwarden.XXXXX.xyz
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for
bitwarden.XXXXX.xyz - check that a DNS record exists for this

 

I have Gandi liveDNS set to redirect from bitwarden.XXXXX.xyz to XXXXX.duckdns.org using CNAME

 

NAME         TYPE    TTL       VALUE

bitwarden CNAME 10800 XXXXX.duckdns.org

Link to comment
2 hours ago, Ryguy said:

with the latest update, unfortunately all of my reverse proxies are no longer working.

 

I have it configured to use my own domain, and there is a cname associated to each subdomain. My dynamic dns is resolved with DuckDNS, and I have all of the relevant containers set on proxynet along with the SWAG container.

 

My logs show that the Server is ready, however it is flagging that the Prox-conf files are out of date. Could this be causing the issue? did the templates change materially?

 

The containers in use are Bitwardenrs, Nextcloud, and OMbi

 

Same with me ... I had my server down like for 3 weeks(I had my mainboard in the warenty) and everything worked  plex, gitea, sonarr, deluge, nextcloud ... finally I had all of them working and now all are down again

Funny thing now as an exception for other not working dates(misconfiguration of swag/pipeline until swag) is that swag is validating the certificate for everything domain and the above mentioned subdomains but am still getting Bad Gateway ...

  • Like 1
Link to comment
22 minutes ago, alexandru360 said:

 

Same with me ... I had my server down like for 3 weeks(I had my mainboard in the warenty) and everything worked  plex, gitea, sonarr, deluge, nextcloud ... finally I had all of them working and now all are down again

Funny thing now as an exception for other not working dates(misconfiguration of swag/pipeline until swag) is that swag is validating the certificate for everything domain and the above mentioned subdomains but am still getting Bad Gateway ...

 

After some further investigation I had this lines in my swag log:

**** The following reverse proxy confs have different version dates than the samples that are shipped. ****
**** This may be due to user customization or an update to the samples. ****
**** You should compare them to the samples in the same folder to make sure you have the latest updates. ****
/config/nginx/proxy-confs/sonarr.subdomain.conf
/config/nginx/proxy-confs/plex.subdomain.conf
/config/nginx/proxy-confs/openvpn-as.subdomain.conf
/config/nginx/proxy-confs/nextcloud.subdomain.conf
/config/nginx/proxy-confs/gitea.subdomain.conf

I will investigate and comeback with results ...

Edited by alexandru360
Link to comment
5 minutes ago, alexandru360 said:

 

After some further investigation I had this lines in my swag log:

**** The following reverse proxy confs have different version dates than the samples that are shipped. ****
**** This may be due to user customization or an update to the samples. ****
**** You should compare them to the samples in the same folder to make sure you have the latest updates. ****
/config/nginx/proxy-confs/sonarr.subdomain.conf
/config/nginx/proxy-confs/plex.subdomain.conf
/config/nginx/proxy-confs/openvpn-as.subdomain.conf
/config/nginx/proxy-confs/nextcloud.subdomain.conf
/config/nginx/proxy-confs/gitea.subdomain.conf

I will investigate and comeback with results ...

 

Nope ... I backed up all my configs, reset everything to default, cloned only deluge[...].conf and restarted swag and for subdomains I get Bad Gateway ... If someone has an idea I'll be all eyes ...

Just a thought: 
I saw on another thread here a response from 2019 that Nerd Pack might interfere with swag "mojo" ... is this still the case ?

Link to comment
1 hour ago, alexandru360 said:

 

Nope ... I backed up all my configs, reset everything to default, cloned only deluge[...].conf and restarted swag and for subdomains I get Bad Gateway ... If someone has an idea I'll be all eyes ...

Just a thought: 
I saw on another thread here a response from 2019 that Nerd Pack might interfere with swag "mojo" ... is this still the case ?

I’m in the same boat. Same log warnings. Can’t figure this out at all. 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.